1 Index: bind8/src/lib/irs/dns_ho.c
2 diff -c bind8/src/lib/irs/dns_ho.c:1.36 bind8/src/lib/irs/dns_ho.c:1.39
3 *** bind8/src/lib/irs/dns_ho.c:1.36 Thu May 30 23:05:30 2002
4 --- bind8/src/lib/irs/dns_ho.c Wed Jun 26 20:56:32 2002
13 #include <isc/memcluster.h>
17 const struct addrinfo *pai);
19 static void map_v4v6_hostent(struct hostent *hp, char **bp,
21 static void addrsort(res_state, char **, int);
22 static struct hostent * gethostans(struct irs_ho *this,
23 const u_char *ansbuf, int anslen,
25 const struct addrinfo *pai);
27 static void map_v4v6_hostent(struct hostent *hp, char **bp,
29 static void addrsort(res_state, char **, int);
30 static struct hostent * gethostans(struct irs_ho *this,
31 const u_char *ansbuf, int anslen,
34 struct addrinfo **ret_aip, const struct addrinfo *pai)
36 struct pvt *pvt = (struct pvt *)this->private;
37 ! int type, class, buflen, ancount, qdcount, n, haveanswer, had_error;
38 int error = NETDB_SUCCESS, arcount;
39 int (*name_ok)(const char *);
42 struct addrinfo **ret_aip, const struct addrinfo *pai)
44 struct pvt *pvt = (struct pvt *)this->private;
45 ! int type, class, ancount, qdcount, n, haveanswer, had_error;
46 int error = NETDB_SUCCESS, arcount;
47 int (*name_ok)(const char *);
54 ! char *bp, **ap, **hap;
55 char tbuf[MAXDNAME+1];
56 struct addrinfo sentinel, *cur, ai;
57 const u_char *arp = NULL;
62 ! char *bp, *ep, **ap, **hap;
63 char tbuf[MAXDNAME+1];
64 struct addrinfo sentinel, *cur, ai;
65 const u_char *arp = NULL;
68 qdcount = ntohs(hp->qdcount);
69 arcount = ntohs(hp->arcount);
71 ! buflen = sizeof pvt->hostbuf;
72 cp = ansbuf + HFIXEDSZ;
74 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
77 ! n = dn_expand(ansbuf, eom, cp, bp, buflen);
78 if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
79 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
82 qdcount = ntohs(hp->qdcount);
83 arcount = ntohs(hp->arcount);
85 ! ep = pvt->hostbuf + sizeof(pvt->hostbuf);
86 cp = ansbuf + HFIXEDSZ;
88 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
91 ! n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
92 if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
93 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
97 pvt->host.h_name = bp;
101 /* The qname can be abbreviated, but hname is now absolute. */
102 qname = pvt->host.h_name;
109 while (ancount-- > 0 && cp < eom && !had_error) {
110 ! n = dn_expand(ansbuf, eom, cp, bp, buflen);
111 if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
117 while (ancount-- > 0 && cp < eom && !had_error) {
118 ! n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
119 if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
126 if ((qtype == T_A || qtype == T_AAAA || qtype == ns_t_a6 ||
127 qtype == T_ANY) && type == T_CNAME) {
129 + int level = LOG_CRIT;
130 + #ifdef LOG_SECURITY
131 + level |= LOG_SECURITY;
134 + "gethostans: possible attempt to exploit buffer overflow while looking up %s",
135 + *qname ? qname : ".");
137 if (ap >= &pvt->host_aliases[MAXALIASES-1])
139 n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf);
143 n = strlen(bp) + 1; /* for the \0 */
146 /* Get canonical name. */
147 n = strlen(tbuf) + 1; /* for the \0 */
148 ! if (n > buflen || n > MAXHOSTNAMELEN) {
154 n = strlen(bp) + 1; /* for the \0 */
156 /* Get canonical name. */
157 n = strlen(tbuf) + 1; /* for the \0 */
158 ! if (n > (ep - bp) || n > MAXHOSTNAMELEN) {
164 pvt->host.h_name = bp;
170 if (type == ns_t_dname) {
176 n = strlen(t) + 1; /* for the \0 */
184 n = strlen(t) + 1; /* for the \0 */
185 ! if (n > (ep - bp)) {
202 /* Get canonical name. */
203 n = strlen(tbuf) + 1; /* for the \0 */
214 if (qtype == T_ANY) {
217 /* Get canonical name. */
218 n = strlen(tbuf) + 1; /* for the \0 */
219 ! if (n > (ep - bp)) {
228 if (qtype == T_ANY) {
234 ! n = dn_expand(ansbuf, eor, cp, bp, buflen);
235 if (n < 0 || !maybe_hnok(pvt->res, bp) ||
236 n >= MAXHOSTNAMELEN) {
242 ! n = dn_expand(ansbuf, eor, cp, bp, ep - bp);
243 if (n < 0 || !maybe_hnok(pvt->res, bp) ||
244 n >= MAXHOSTNAMELEN) {
249 n = strlen(bp) + 1; /* for the \0 */
258 pvt->host.h_name = bp;
263 /* Ensure alignment. */
264 bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
269 if (pvt->host.h_name == NULL) {
270 n = strlen(qname) + 1; /* for the \0 */
271 ! if (n > buflen || n >= MAXHOSTNAMELEN)
274 pvt->host.h_name = bp;
278 if (pvt->res->options & RES_USE_INET6)
279 ! map_v4v6_hostent(&pvt->host, &bp, &buflen);
280 RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
285 if (pvt->host.h_name == NULL) {
286 n = strlen(qname) + 1; /* for the \0 */
287 ! if (n > (ep - bp) || n >= MAXHOSTNAMELEN)
290 pvt->host.h_name = bp;
293 if (pvt->res->options & RES_USE_INET6)
294 ! map_v4v6_hostent(&pvt->host, &bp, ep);
295 RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
303 ! map_v4v6_hostent(struct hostent *hp, char **bpp, int *lenp) {
306 if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ)
311 ! map_v4v6_hostent(struct hostent *hp, char **bpp, char *ep) {
314 if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ)
318 i = sizeof(align) - i;
320 ! if (*lenp < (i + IN6ADDRSZ)) {
321 /* Out of memory. Truncate address list here. */
327 map_v4v6_address(*ap, *bpp);
330 - *lenp -= IN6ADDRSZ;
336 i = sizeof(align) - i;
338 ! if ((ep - *bpp) < (i + IN6ADDRSZ)) {
339 /* Out of memory. Truncate address list here. */
344 map_v4v6_address(*ap, *bpp);
350 Index: bind8/src/lib/irs/dns_nw.c
351 diff -c bind8/src/lib/irs/dns_nw.c:1.22 bind8/src/lib/irs/dns_nw.c:1.23
352 *** bind8/src/lib/irs/dns_nw.c:1.22 Tue Feb 26 19:50:10 2002
353 --- bind8/src/lib/irs/dns_nw.c Wed Jun 26 00:42:06 2002
356 int af, const char *name, const u_char *addr, int addrlen)
358 struct pvt *pvt = (struct pvt *)this->private;
359 ! int type, class, buflen, ancount, qdcount, haveanswer;
365 int af, const char *name, const u_char *addr, int addrlen)
367 struct pvt *pvt = (struct pvt *)this->private;
368 ! int type, class, ancount, qdcount, haveanswer;
369 ! char *bp, *ep, **ap;
376 /* Prepare a return structure. */
378 ! buflen = sizeof pvt->buf;
379 pvt->net.n_name = NULL;
380 pvt->net.n_aliases = pvt->ali;
381 pvt->net.n_addrtype = af;
384 /* Prepare a return structure. */
386 ! ep = pvt->buf + sizeof(pvt->buf);
387 pvt->net.n_name = NULL;
388 pvt->net.n_aliases = pvt->ali;
389 pvt->net.n_addrtype = af;
393 int n = strlen(name) + 1;
396 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
399 pvt->net.n_name = strcpy(bp, name);
405 if (addr != NULL && addrlen != 0) {
406 int n = addrlen / 8 + ((addrlen % 8) != 0);
408 ! if (INADDRSZ > buflen) {
409 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
414 int n = strlen(name) + 1;
416 ! if (n > (ep - bp)) {
417 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
420 pvt->net.n_name = strcpy(bp, name);
425 if (addr != NULL && addrlen != 0) {
426 int n = addrlen / 8 + ((addrlen % 8) != 0);
428 ! if (INADDRSZ > (ep - bp)) {
429 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
435 pvt->net.n_addr = bp;
437 - buflen -= INADDRSZ;
446 while (--ancount >= 0 && cp < eom) {
447 ! int n = dn_expand(ansbuf, eom, cp, bp, buflen);
450 if (n < 0 || !maybe_dnok(pvt->res, bp) ||
454 while (--ancount >= 0 && cp < eom) {
455 ! int n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
458 if (n < 0 || !maybe_dnok(pvt->res, bp) ||
461 if (class == C_IN && type == T_PTR) {
464 ! nn = dn_expand(ansbuf, eom, cp, bp, buflen);
465 if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) {
466 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
469 if (class == C_IN && type == T_PTR) {
472 ! nn = dn_expand(ansbuf, eom, cp, bp, ep - bp);
473 if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) {
474 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
488 sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
489 &b1, &b2, &b3, &b4) != 4)
491 ! if (buflen < INADDRSZ) {
492 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
496 sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
497 &b1, &b2, &b3, &b4) != 4)
499 ! if ((ep - bp) < INADDRSZ) {
500 RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
508 - buflen -= INADDRSZ;
509 pvt->net.n_length = INADDRSZ * 8;